Compatibility between various w-lan standards

ABSTRACT

A method of performing selective filtering, a network comprising a station, an AP and a PAC, whereby synchronisation between the AP and the PAC is performed in order to allow filtering of messages in at least the AP or in the PAC has been provided. An AP is moreover provided being able to perform both legacy and 802.11i association and authentication, whereby if a 802.11i station is encountered, filtering is performed until a 802.11i association and authentication is successful, and if a legacy station is encountered allowing the station to initiate login procedure with a PAC, if the station is not authenticated by the PAC, filtering messages to the station in question.

FIELD OF THE INVENTION

The present invention relates to security aspects in the area of publicaccess Wireless LANs (WLAN). More specifically the invention concernscompatibility between various versions of the W-LAN standards in

BACKGROUND

The majority of today's public access WLANs uses Access Points thatconform to the IEEE 802.11 standard, in particular 802.11b. A newerstandard 802.11a has also gained popularity. In the following the abovestandards will be referred to as legacy standards.

A forthcoming version of the standard, IEEE 802.11i, addressesimprovement of Security. A need has been found for a new securityframework overcoming the low level of security of 802.11b, including thenow broken WEP encryption and MAC layer authentication. Therefore, a newencryption algorithm, AES, and a new authentication mechanism, based onmutual authentication, EAP signalling and 802.1x are included in the newsecurity framework, as discussed in IEEE 802.11i.

WECA is an industry organization for promoting IEEE 802.11 WLAN and forestablishing interoperability requirements for 802.11 products. WECA isalso currently writing a recommended practice with the goal to increasethe possibility for roaming between different Wireless Internet ServiceProviders (WISP). This recommended practice specifies a public accessWLAN architecture that is briefly discussed below.

The current state of the art, as recommended by WECA's WISPr committee,is to place the task of authentication into a special network node, aPublic Access Control (PAC) Gateway. The APs are all connected directlyto the PAC and the only access to the rest of the network goes throughthe PAC (see FIG. 1).

The Access Points uses “open system” authentication and no encryptionwhen communicating with the STAs. There is thus no access control in theAPs. The real authentication and access control is done in the PACgateway. Login credentials are transported between the STA and the PACover HTTP protected by SSL. The process is as follows: When the userstarts the laptop, the WLAN NIC associates with an AP. The user thenstarts a web browser on the STA. The PAC intercepts any HTTP request andsends a login web-page to the STA. The user enters username and passwordon the web page. The PAC then verifies the credentials, e.g. against aremote authentication server. If the credentials are ok, the PAC startsto forward traffic between the STA and the rest of the network.

It is claimed by WECA that this is the solution implemented by themajority of WISPs today. This architecture has also been implemented inthe first release of Ericsson's WLAN-GPRS inter-working solution. Inthat solution, the PAC gateway is called Access Serving Node (ASN)).

An improved security standard for 802.11 has been suggested in IEEE802.11i. This new standard will make it possible to perform amuch-improved authentication in the AP than is possible with the802.11-1999 standard. IEEE 802.11i will use IEEE 802.1X and EAP as thesecurity framework. This means that there is no longer need for aweb-based login in a PAC gateway, a satisfactory solution can beachieved with just 802.11i-capable APs and STAs. IEEE 802.11i alsospecifies enhanced encryption algorithms whose operation is closely tiedto the 802.1X authentication procedure.

A security problem occurs when mixing legacy equipment, i.e. equipmentcompliant with existing standard, with 802.11i-capable equipment in thesame cell. The problem is simply one of distributed responsibility.According to the WECA reference model for legacy WLAN networks, the PACwill be responsible for authenticating the legacy STAs, while the APitself, according to the IEEE 802.11i model, will be responsible forauthenticating new 802.11i STAs. Filtering and access control is thusdone at two places in the network. This architecture may enable accessfor fraudulent users signalling to the AP that it is a legacy STA, whileat the same time indicating to the PAC that it is a new 802.11i-enabledSTA. It is seen that this STA may be accessing the system with noauthentication at all.

SUMMARY OF THE INVENTION

It is a first object of the invention to provide backwards compatibilityfor the new 802.11i, while supporting WEP and MAC layer authentication.

This object has been accomplished by the subject matter of claim 1.

Further advantages will appear from the following detailed descriptionof the invention.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 shows a known architecture including a public access gatewayproviding WEP based authentication, and filtering if the providedauthentication is not proved,

FIG. 2 shows a network architecture according to a first embodiment ofthe invention, including a PAC,

FIG. 3 shows 3 shows a flowchart for an access point of a firstembodiment according to the invention,

FIG. 4 shows aspects of the signalling protocol relating to a legacystation, the associated AP and the PAC according to the first embodimentof the invention,

FIG. 5 shows aspects of the signalling protocol relating to a 802.11istation, the associated AP and the PAC according to the first embodimentof the invention,

FIG. 6 shows a flowchart for an access point of a second embodiment ofthe invention,

FIG. 7 shows aspects of the signalling protocol relating to a legacystation, the associated AP and the PAC according to the secondembodiment of the invention, and

FIG. 8 shows aspects of the signalling protocol relating to a 802.11istation, the associated AP and the PAC, according to the secondembodiment of the invention,

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION FirstEmbodiment of the Invention

A new signalling protocol between AP and PAC has been provided accordingto the first embodiment of the invention.

In this solution, the PAC does the web-login and the APs implements the802.11i functionality, according to the reference architecture advisedby WECA and IEEE. Both legacy and 802.11i STAs can authenticate. LegacySTAs authenticate over the web interface against the PAC gateway and802.11-capable STAs authenticate using EAP and 802.1X in the AP.Authentication is usually performed against a backend server (a AAAserver) and it is only the access control function that is performed bythe AP and PAC respectively. We will however not address detailsregarding a potential AAA server since it is the access control functionthat is central to this embodiment. Authentication against an AAA serveris one possible implementation.

In order to coordinate the access control state machines in the AP andthe PAC a new signalling protocol between AP and PAC has to beintroduced. There are several possible alternatives:

First Alternative of First Embodiment

In this solution the PAC is responsible for web-login but is otherwisecompletely transparent. The AP on the other hand filters all framesto/from unauthenticated STAs and shall only forward frames fromauthenticated STAs.

If an 802.11i-capable STA associates with the AP and performs asuccessful 802.1X-authentication, the AP starts to forward framesto/from this STA.

If a legacy STA associates with the AP, the PAC has to authenticate it.The AP shall send frames from the STA to the PAC in a recognizable andpreferably secure way. The AP could e.g. encapsulate the frames in anIPSec tunnel to the PAC. The AP and PAC could also share a secret thatthe AP uses to encrypt and authenticate each frame. In any case, the PACcan recognize these packets as traffic coming from an unauthenticatedSTA. The PAC can then process these packets. If the packets e.g. containDHCP requests or HTTP requests for the login web page, the PAC respondsto the requests while other packets are discarded. When the web-login issuccessfully completed, the PAC sends a special message to the APtelling it, that the STA is authenticated and that the AP can start toforward traffic to/from the STA without encapsulating it in any specialway.

An advantage of this solution is that the network architecture can berelaxed; not all traffic has to pass through the PAC. Instead the PACcould be any kind of PC with a HTTP/SSL server (see example in FIG. 2).

According to step 1 in FIG. 3 the AP receives a message form the AP,step 1, whereupon the AP determines whether the station is a legacystation or an 802.11i station, step 2.

As illustrated in FIG. 4, the normal legacy procedure for associationand authorisation is carried our enabling the station to communicatewith AP. This has been shown by step 3 in FIG. 3.

Any message from the station in question will trigger a followingAP-PAC_data_ind message from the AP towards the PAC, indicating to thePAC that the station needs authentication before the PAC.

In order to accomplish login, a PAC timer may be set in the AP andtraffic is forwarded to and from the PAC for instance using AP_PACencapsulation, step 5.

The PAC, in turn, transmits a WEB based Login page to the AP, which isdelivered to the station. The user of the station may then provide thecredentials according to the normal procedure for login, for instance asecret PIN code.

The PAC responds with an AP_PAC_add_req message, step 7, informingwhether the PAC has accepted or barred the station. If the station isauthenticated, step 8, the AP “opens the switch” in the AP, and allowstraffic from the station to pass without filtering.

If the login procedure could not be completed within the time limitindicated according to the PAC timer and the test according to step 6,the AP stops transferring traffic from the particular station.

If—instead of a legacy station—a 802-11i station is detected in step 2,the legacy station associates and authenticates with the AP according tothe ordinary 802.11i procedures, as shown in FIG. 5, the AP “opens theswitch” and forwards any traffic. No AP_PAC message is required beforethe PAC. These steps have been shown in step 4 and 9 in FIG. 3

Second Alternative of First Embodiment

In this solution, the filtering of unauthenticated traffic is performedby the PAC and not by the AP. If the AP receives a frame not destined toit, it always forwards the frame. It is then up to the PAC to filterunauthenticated frames and to perform the web-login procedure. For thispurpose, an architecture according to FIG. 1 is chosen.

In FIG. 6, this procedure has bee shown, whereby in step 1 the APreceies amessage from a new station and in step 2 the AP determineswhether a legacy or 802.11i station is encountered.

If an 802.11i-capable STA sends EAP frames destined to the AP, the APprocesses these (possibly by forwarding them to a AAA server) andperforms the 802.1X-authentication procedure, cf. step 4 in FIG. 6. Ifthe procedure is successful, the AP sends a special message to the PAC,step 9, indicating that the STA is authenticated and that the PAC shouldstart forwarding frames to/from this STA. This message should preferablybe sent in a secure way.

If—on the other hand—a legacy STA associates with the AP, as illustratedin FIG. 8, the AP performs the normal legacy association andauthentication procedure, step 3. At the same time, a PAC timer is setin the AP with the same purpose as set out above. The AP continues toforward traffic to and from this station, step 5. If during this time,the station sends any message to the PAC, the PAC responds with the WEBlogin page back to the station. If a correct password is received in thePAC from the station, the PAC opens the switch in the PAC. If on theother hand an erroneous password is received, the PAC closes the switchand transmits a AP_PAC_remove_req to the AP, step 7, effectuating a stopof transferring of traffic for the AP in question between the AP and thePAC and effectuating a disassociation of the station before the AP, step10.

Third Alternative of First Embodiment

According to the third alternative of the first embodiment, both AP andPAC performs filtering

This solution is a combination of solutions above. In order for trafficfrom an STA to pass, both the AP and the PAC must forward the frame.

Second Embodiment

According to the second embodiment of the invention, configuration ofthe network is performed in legacy (insecure) or 802.11i (secure) mode.

A simple solution is to run the network in either legacy mode or 802.11imode. In the former case, login is done over HTTP/SSL and802.11i-capable STAs have to run (if possible) in a legacy mode. In thelatter case, legacy STAs are unable to authenticate to the AP, only802.11i-capable STAs may authenticate. For real 802.11i level ofsecurity, i.e. no legacy STAs are accepted to enter the network, thelatter case is the only solution.

Third Embodiment

According to the third embodiment, the AP does all authenticationfunctions In this solution, the web-login functionality is moved fromthe PAC to the APs. HTTP/SSL servers therefore have to be implemented ineach AP. Both legacy and 802.11i STAs can now authenticate in a singlecell, the AP has to adjust the authentication procedure (web-login or802.1X-authentication) to the capabilities of the STA.

The method described in solution 3 extends typical implementations, e.g.Ericssons ASN solution, of the WECA reference model.

Fourth Embodiment

According to the fourth embodiment of the invention, the PAC does allauthentication functions

In this solution, the PAC keeps the web-login. The 802.11i functionalityis divided between the AP and the PAC. Encryption according to 802.11i(requiring HW support) is still done in each AP but the IEEE 802.1X andEAP support is implemented in the PAC gateway. As in solution 3, bothlegacy and 802.11i STAs can authenticate but now the PAC has to adapt tothe capabilities of the STA.

Since establishment and refreshing of session encryption keys is done by802.1X and EAP (in the PAC) and the actual encryption/decryption isperformed in the AP, a AP-PAC protocol is invented to transport keyingmaterial between the APs and the PAC gateway. This protocol is similarto the one outlined in solution 1, and not described further now.

The method described in solution 4 is violating the IEEE referencemodel.

In conclusion, the invention describes a new solution to the well-knownsecurity problem in 802.11 WLANs. The method is compatible withprotocols standardised by IEEE and WECA, but goes one step further andspecifies a new protocol between the network nodes in the WECA referencearchitecture. Furthermore, 3 alternative methods are described,including modifications to security architecture described by the WECAreference architecture.

A mechanism, such as described here, will be necessary in order toprovide a secure WLAN network when 802.11i equipment will start toappear on the market. It is not a new authentication mechanism that isinvented; authentication of a STA is done using the WECA and the IEEEauthentication methods. The invention solves the problem of distributedresponsibility, by tying together the WECA and IEEE security protocolsand synchronising the security information in the fixed nodes in theWLAN backbone.

1-3. (canceled)
 4. A wireless access point (AP) operative to performauthentication for both legacy 802.11x and 802.11i wireless stations,wherein: if an 802.11i wireless station is encountered by said AP,filtering is performed until a 802.11i association and authentication iscompleted; if a legacy 802.11x wireless station is encountered by saidAP, allowing the wireless station to initiate a login procedure with aPublic Access Control gateway (PAC); and, if the 802.11x wirelessstation is not authenticated by the PAC, filter all messages from thewireless station.
 5. The AP according to claim 4, wherein: if a legacy802.11x wireless station is encountered, in order to accomplish login, aPAC timer is set and traffic is forwarded by said AP to and from the PACusing encapsulation, and transmitting a message from said AP to said PACindicating that the wireless station needs authentication, said PACoperative to transmit a web based login page to the legacy 802.11xwireless station.
 6. The AP according to claim 5, wherein said AP waitsfor a message from the PAC indicative of successful authorisation of thelegacy 802.11x wireless station and, once received, allows traffic toand from the legacy 802.11x wireless station without filtering.